LEGAL

Privacy Policy

Last updated: 27 March 2026

PhantomCorgi ("we", "our", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights with respect to that data.

Data we collect

Account data

  • Email address (used for login and product communications)
  • Organisation name
  • Payment information (processed by Stripe — we do not store card details)

Usage data

  • Repository names and pull request metadata (PR numbers, commit SHAs, branch names)
  • Scan results and findings (the output of our analysis, not your source code)
  • API access logs (timestamps, endpoints called, response codes)
  • Dashboard usage (pages visited, features used — anonymised)

Code data

Code Corgi processes pull request diffs to perform security analysis. Diff content is:

  • Encrypted in transit and at rest
  • Stored in object storage for the duration of the scan job plus a configurable retention period (default: 90 days)
  • Never used to train machine learning models
  • Never shared with third parties
  • Deleted on account termination upon request

How we use data

  • To provide and operate the Code Corgi service
  • To send product updates, security advisories, and billing notifications
  • To investigate and respond to support requests
  • To detect and prevent abuse of our service
  • To comply with legal obligations

We do not sell your data. We do not use your data for advertising.

Data sharing

We share data with the following categories of third-party processors:

  • Stripe — payment processing
  • AWS / cloud providers — infrastructure hosting (region configurable)
  • Postmark — transactional email

All processors are bound by data processing agreements.

Data retention

  • Account data: retained for the duration of your subscription plus 30 days after cancellation
  • Diff content: 90 days by default, configurable per organisation (Enterprise)
  • Scan findings and audit logs: retained for the duration of your subscription
  • Billing records: 7 years (legal requirement)

Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Request deletion of your personal data
  • Export your data in a portable format
  • Object to or restrict certain processing

To exercise any of these rights, email privacy@phantomcorgi.com. We will respond within 30 days.

Cookies

The PhantomCorgi website uses a single session cookie for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Changes to this policy

We will notify customers by email at least 14 days before making material changes to this policy. The latest version is always available at this URL.

Contact

For privacy questions or requests: privacy@phantomcorgi.com